CVE-2020-14328: 
Ansible Tower vulnerability analysis and mitigation

A Server Side Request Forgery (SSRF) vulnerability was discovered in Ansible Tower versions before 3.7.2. The vulnerability, identified as CVE-2020-14328, allows attackers to abuse functionality by supplying a URL that could lead to the server connecting to internal services or exposing additional internal services, particularly retrieving full details in case of error (NVD, Red Hat Bugzilla).

The vulnerability exists in the webhook management functionality of Ansible Tower. Organization administrators can manage webhooks (HTTP, mail, etc.), and this feature could return full details in case of error, such as HTML source for HTTP/HTTPS requests, server unavailability information, and port status. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The primary impact of this vulnerability is to data confidentiality. An attacker could potentially connect to internal services like HTTP-enabled databases or perform POST requests towards internal services that are not intended to be exposed. The vulnerability could lead to the disclosure of internal service details and system information through error messages (Red Hat Bugzilla).

The vulnerability has been fixed in Ansible Tower version 3.7.2. Users are advised to upgrade to this version or later to address the security issue. Red Hat has released security advisory RHSA-2020:3328 which includes the fix for this vulnerability (Red Hat Advisory).

The vulnerability was discovered and reported by Maxime ESCOURBIAC from the Michelin CERT team (Red Hat Bugzilla).